MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de2b16c406a932ab788f74900bdad5b00f926126d98437f151e740905ec2bece. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de2b16c406a932ab788f74900bdad5b00f926126d98437f151e740905ec2bece
SHA3-384 hash: c479c5fd98d2967ab9b1ea498b5d349e419a4c469f86864f1a07255dbb35911f4af783b0c75dbc060401b09a6a628961
SHA1 hash: 0e55afb7134c54baf775a3f8dbfcd7936361ce1a
MD5 hash: e5283abf739e36fd9e77c617b0028567
humanhash: bakerloo-oregon-failed-mike
File name:New Order.bat
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:228'252 bytes
First seen:2025-03-26 17:06:19 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:0AeVwHyo+aD5NE7ZLgUzN4b9H2mncpe1jg7RmtQ/n0HfZ2Z1wJ6GghPs:W3aD5NEiUx4Tncpe5HfQwJSS
Threatray 2'033 similar samples on MalwareBazaar
TLSH T1B8246C7BC3F46EC80B751390648E3A0F207D1ED716396A3C66EA148166D4D16EB7BB2C
Magika vba
Reporter lowmal3
Tags:bat SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order.bat
Verdict:
Malicious activity
Analysis date:
2025-03-26 17:07:49 UTC
Tags:
snake keylogger evasion stealer ftp susp-powershell
Link:
https://app.any.run/tasks/7ca5460e-3c35-429f-9ac0-ef888eff6fb8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BAT.Agent-36.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e4344512b5dc44da3e439b
Tags:
autorun shell spawn sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated
Link:
https://www.filescan.io/uploads/67e43444f274bf2d8e23b14d/reports/3c8ba660-1538-4153-abd3-c5ab997389d3/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.AZY
Link:
https://www.hybrid-analysis.com/sample/de2b16c406a932ab788f74900bdad5b00f926126d98437f151e740905ec2bece
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Result
Threat name:
Batch Injector, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1649368
Signature
Bypasses PowerShell execution policy
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649368 Sample: New Order.bat Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 59 reallyfreegeoip.org 2->59 61 checkip.dyndns.org 2->61 63 checkip.dyndns.com 2->63 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Multi AV Scanner detection for submitted file 2->77 81 10 other signatures 2->81 8 cmd.exe 1 2->8         started        11 cmd.exe 2->11         started        13 cmd.exe 1 2->13         started        15 16 other processes 2->15 signatures3 79 Tries to detect the country of the analysis system (by using the IP) 59->79 process4 signatures5 89 Suspicious powershell command line found 8->89 91 Bypasses PowerShell execution policy 8->91 17 cmd.exe 3 8->17         started        20 conhost.exe 8->20         started        22 cmd.exe 11->22         started        24 conhost.exe 11->24         started        26 cmd.exe 2 13->26         started        28 conhost.exe 13->28         started        30 cmd.exe 2 15->30         started        32 cmd.exe 2 15->32         started        34 30 other processes 15->34 process6 signatures7 71 Suspicious powershell command line found 17->71 36 powershell.exe 15 20 17->36         started        41 conhost.exe 17->41         started        43 powershell.exe 22->43         started        45 conhost.exe 22->45         started        47 powershell.exe 26->47         started        49 conhost.exe 26->49         started        51 2 other processes 30->51 53 2 other processes 32->53 55 28 other processes 34->55 process8 dnsIp9 65 50.31.176.103, 21 SERVERCENTRALUS United States 36->65 67 checkip.dyndns.com 193.122.6.168, 49693, 49704, 49717 ORACLE-BMC-31898US United States 36->67 69 reallyfreegeoip.org 104.21.48.1, 443, 49694, 49695 CLOUDFLARENETUS United States 36->69 57 C:\Users\user\...\StartupScript_fa5f5358.cmd, ASCII 36->57 dropped 83 Tries to steal Mail credentials (via file / registry access) 36->83 85 Found suspicious powershell code related to unpacking or dynamic code loading 36->85 87 Tries to harvest and steal browser information (history, passwords, etc) 43->87 file10 signatures11
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/de2b16c406a932ab788f74900bdad5b00f926126d98437f151e740905ec2bece
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de2b16c406a932ab788f74900bdad5b00f926126d98437f151e740905ec2bece/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yvrnragvezkw6eposiaxwwvwahzeyjg3gcdp4kr45ajaxwcx3ha._file
Verdict:
malicious
Label(s):
404keylogger
Create hunting rule
Similar samples:
6f5c8e04089a2db3aaa4d9447de589e5df8899292fbc70a5ad852d7abc7f174e
SnakeKeylogger
98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f
SnakeKeylogger
a2584975149658da70c801f79fbfdcdd66eddf114b84332d401d2ad6a0ddbf78
SnakeKeylogger
d4fce5bc1eb1088361f707f46d9bcd22cb7ca46c6f8a2431b4beef859995e820
SnakeKeylogger
e447c6661b45bf1feacf2e5610b20487dadf0b09150b3371f86d09f01a29a2b0
SnakeKeylogger
error
SnakeKeylogger
+ 2'023 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection discovery execution keylogger stealer
Link:
https://tria.ge/reports/250326-vm4d4syzey/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Drops startup file
Blocklisted process makes network request
Snake Keylogger
Snake Keylogger payload
Snakekeylogger family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de2b16c406a932ab788f74900bdad5b00f926126d98437f151e740905ec2bece

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Batch (bat) bat de2b16c406a932ab788f74900bdad5b00f926126d98437f151e740905ec2bece

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments